[Samba] samba/ldap setup stopped working (might be a challenge) - Samba

This is a discussion on [Samba] samba/ldap setup stopped working (might be a challenge) - Samba ; Hi, two days ago my functioning samba/ldap server stopped working. I *think* the problem is somehow related to the fact i transfered everything to a new server, but that was two months ago. Trouble started yesterday morning after a power-outage. ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: [Samba] samba/ldap setup stopped working (might be a challenge)

  1. [Samba] samba/ldap setup stopped working (might be a challenge)

    Hi,

    two days ago my functioning samba/ldap server stopped working. I *think* the
    problem is somehow related to the fact i transfered everything to a new
    server, but that was two months ago. Trouble started yesterday morning after
    a power-outage.

    Configuration: ubuntu 8.04, with a standard samba, ldap and smbldap-tools
    installed via apt-get.

    When users tried to login, they got a message "a device connected to the
    system is not working". (All windows messages are roughly translated from
    Dutch.) After some research, i discovered that there was a conflict between
    the SID on my server and the ones users had in the ldap database. Obviously
    this is because of the server migration i did a few months ago. But why
    problems started only now, i do not really know. At any rate, things
    improved when i changed the sambaSID so that it contained the server SID.

    Now some users can login on machines they used before, but not on all
    machines. If they try to login on a machine where they did not work before,
    they get a message saying that their password is wrong. However, the samba
    logs show the following:

    [2008/06/04 19:20:43, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
    init_sam_from_ldap: Entry found for user: yvan
    [2008/06/04 19:20:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2162)
    init_group_from_ldap: Entry found for group: 1000
    [2008/06/04 19:20:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2162)
    init_group_from_ldap: Entry found for group: 1000
    [2008/06/04 19:20:43, 2] auth/auth.c:check_ntlm_password(309)
    check_ntlm_password: authentication for user [yvan] -> [yvan] -> [yvan]
    succeeded

    Seems ok to me.

    I figured it might perhaps have something to do with the computer accounts
    themselves, which still have the wrong SID. But changing one manually didn't
    solve anything. The problem stays the same. I also took a machine from the
    domain, but cannot add it again. Windows gives me a "user unknown" reply
    when i do. The samba logs tell me this:

    [2008/06/04 17:49:13, 2] smbd/reply.c:reply_special(324)
    netbios connect: name1=OCTOPUS name2=CO114-PC12
    [2008/06/04 17:49:13, 2] smbd/reply.c:reply_special(331)
    netbios connect: local=octopus remote=co114-pc12, name type = 0
    [2008/06/04 17:49:13, 2] smbd/sesssetup.c:setup_new_vc_session(1209)
    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
    old resources.
    [2008/06/04 17:49:13, 2] smbd/sesssetup.c:setup_new_vc_session(1209)
    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
    old resources.
    [2008/06/04 17:49:13, 2] lib/smbldap.c:smbldap_open_connection(786)
    smbldap_open_connection: connection opened
    [2008/06/04 17:49:13, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
    init_sam_from_ldap: Entry found for user: root
    [2008/06/04 17:49:13, 2] auth/auth.c:check_ntlm_password(309)
    check_ntlm_password: authentication for user [root] -> [root] -> [root]
    succeeded
    [2008/06/04 17:49:13, 0] groupdb/mapping.cdb_create_builtin_alias(739)
    pdb_create_builtin_alias: Could not add group mapping entry for alias 544
    (NT_STATUS_GROUP_EXISTS)
    [2008/06/04 17:49:13, 0] auth/auth_util.c:create_builtin_administrators(792)
    create_builtin_administrators: Failed to create Administrators
    [2008/06/04 17:49:13, 2] auth/auth_util.c:create_local_nt_token(914)
    create_local_nt_token: Failed to create BUILTIN\Administrators group!
    [2008/06/04 17:49:13, 0] groupdb/mapping.cdb_create_builtin_alias(739)
    pdb_create_builtin_alias: Could not add group mapping entry for alias 545
    (NT_STATUS_GROUP_EXISTS)
    [2008/06/04 17:49:13, 0] auth/auth_util.c:create_builtin_users(758)
    create_builtin_users: Failed to create Users
    [2008/06/04 17:49:13, 2] auth/auth_util.c:create_local_nt_token(941)
    create_local_nt_token: Failed to create BUILTIN\Users group!
    [2008/06/04 17:49:13, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2916)
    Returning domain sid for domain SCHOOL ->
    S-1-5-21-2448809205-3807961929-1645749690

    The machine account is created, that much is sure. (I'll tell more about the
    "Failed to create ..." errors later on.)

    In the ldap database, the machine gets an entry like this:

    cn co114-pc12$
    description Computer
    gecos Computer
    gidNumber 515
    homeDirectory /dev/null
    loginShell /bin/false
    uid co114-pc12$
    uidNumber 1008

    while existing accounts look like this:

    cn co114-pc11$
    description Computer
    displayName co114-pc11$
    gidNumber 100
    homeDirectory /dev/null
    loginShell /bin/false
    sambaAcctFlags [W ]
    sambaNTPassword 76B04CE668008AA41E9ED6829A71EE5E
    sambaPrimaryGroupSID S-1-5-21-474648322-3185173744-4186694333-1201
    sambaPwdCanChange 1192187861
    sambaPwdLastSet 1192187861
    sambaPwdMustChange 2147483647
    sambaSID S-1-5-21-474648322-3185173744-4186694333-7194
    sn co114-pc11$
    uid co114-pc11$
    uidNumber 3097

    I think the samba information is needed for the machine. Or should it get
    created when the machine contacts the domain for the first time? Anyway,
    that does not happen. The computer does not join the domain after it gets
    the SID from the server.

    Now about the other errors in the logs. From the moment the server is
    started, i get a lot of these:

    [2008/06/04 19:20:43, 0] groupdb/mapping.cdb_create_builtin_alias(739)
    pdb_create_builtin_alias: Could not add group mapping entry for alias 544
    (NT_STATUS_GROUP_EXISTS)
    [2008/06/04 19:20:43, 0] auth/auth_util.c:create_builtin_administrators(792)
    create_builtin_administrators: Failed to create Administrators
    [2008/06/04 19:20:43, 2] auth/auth_util.c:create_local_nt_token(914)
    create_local_nt_token: Failed to create BUILTIN\Administrators group!
    [2008/06/04 19:20:43, 0] groupdb/mapping.cdb_create_builtin_alias(739)
    pdb_create_builtin_alias: Could not add group mapping entry for alias 545
    (NT_STATUS_GROUP_EXISTS)
    [2008/06/04 19:20:43, 0] auth/auth_util.c:create_builtin_users(758)
    create_builtin_users: Failed to create Users
    [2008/06/04 19:20:43, 2] auth/auth_util.c:create_local_nt_token(941)
    create_local_nt_token: Failed to create BUILTIN\Users group!

    At first i thought this was the core of the problem. But i'm not sure about
    that anymore. All the things that were failed to create do exist and seem
    the have the correct SID's. I also deleted all those items (created by
    smbldap-populate), and ran smbldap-populate again. It neatly created
    everything again. But the errors above persist. One of the few talks about
    this on the web say it's not important, but of course that's just one...

    Well, thanks for reading all this. If any of you have a clue about what is
    going in, i would be very happy to hear from you. I have about 2000 accounts
    and 200 computers in this domain, so a fresh install is really not an
    option.

    Regards,

    yvan vander sanden
    --
    Copyright only exists in the imagination of those who do not have any.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  2. Re: [Samba] samba/ldap setup stopped working (might be a challenge)

    have you tried taking a misbehaving machine out of the domain, deleting
    is machine account, re-creating it, and readding it to the domain?

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  3. Re: [Samba] samba/ldap setup stopped working (might be a challenge)

    2008/6/4 Adam Williams :

    > have you tried taking a misbehaving machine out of the domain, deleting is
    > machine account, re-creating it, and readding it to the domain?
    >
    >

    yes. Thing is that the machine account is not recreated correctly. At the
    moment, i have added it manually by

    smbldap-useradd -w machinename$
    smbldap-usermod -a machinename$

    apparently the samba information is missing if i just use smbldap-useradd -w

    Could this be a bug? Doing it manually works, but it should be enough with
    just the first command.

    After joining the domain on that pc, i can log in. No errors anymore. It
    goes very slowly though and leaves me on an empty screen. But that might be
    another problem. I am gonna try another pc to make sure.

    Anyway, i'll have to find a way to automaticly join the domain again,
    because doing this manually for 200 machines is no fun at all!


    --
    Copyright only exists in the imagination of those who do not have any.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  4. Re: [Samba] samba/ldap setup stopped working (might be a challenge)

    Ok,

    i've found a work-around for now. I made this bash script:

    #!/bin/bash

    /usr/sbin/smbldap-userdel $1
    /usr/sbin/smbldap-useradd -w $1
    /usr/sbin/smbldap-usermod -a $1


    And called this script from within samba, instead of the original script. It
    works, but this is not how it should be. Does anyone else using
    smbldap-tools version 0.9.4-1 have this problem?


    --
    Copyright only exists in the imagination of those who do not have any.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


+ Reply to Thread